﻿
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!-- saved from url=(0014)about:internet -->
<html xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:mssdk="winsdk" xmlns:script="urn:script" xmlns:build="urn:build" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta name="Description" content="Analyzing a User-Mode Dump File with CDB"/>
<meta name="MSHAttr" content="PreferredSiteName:MSDN"/>
<meta name="MSHAttr" content="PreferredLib:/library/windows/hardware"/>
<title>Analyzing a User-Mode Dump File with CDB</title>

<meta name="MS-HAID" content="r10_dump_files_4f6d2afd-9c77-4b24-8750-75b2b73b92a6.xml"/>


<link rel="STYLESHEET" type="text/css" HREF="../common/backsdk4.css"/>





<style>
html,div { margin: 0; padding: 0;}

body {
	padding: 0px;
	margin: 0px;
	overflow: auto;
	height: 100%;
}

#winchm_template_button{
	float: right;
	width: 93px;
	top: 7px;
	position: relative;
	text-align: right;
	right: 5px;
	height: auto;
}

#winchm_template_top{
	padding: 0px;
	margin: 0px;
	border-bottom: 1px solid #9B9B9B;
	background-color: #B1CEFE;
}

#winchm_template_navigation{
	margin: 0px;
	padding-top: 7px;
	padding-left: 7px;
	padding-bottom: 3px;
	padding-right: 0px;
	font-size: 8.5pt;
	font-family: Arial, Helvetica, sans-serif;
	font-weight: normal;
	color: #585858;
}

#winchm_template_title{
	margin: 0px;
	padding-top: 4px;
	padding-left: 7px;
	padding-bottom: 7px;
	padding-right: 0px;
	font-size: 18px; 
	font-family: Verdana, Geneva, sans-serif;
	color: #363636;
}

#winchm_template_content{
	margin-top: 20px;
	margin-left: 15px;
	margin-bottom: 20px;
	margin-right: 15px;
	width: auto  !important;
	width: 100%;
}

#winchm_template_footer{
	border-width: 1px;
	border-color: #B1CEFE;
	border-top-style: solid;
	margin-top: 15px;
	margin-left: 15px;
	margin-bottom: 20px;
	margin-right: 15px;
	padding-top: 7px;
	padding-left: 0px;
	padding-bottom: 0px;
	padding-right: 0px;
	font-family: arial, helvetica, sans-serif;
	font-size: 8.5pt;
	color: #696969;
	width: auto;
	text-align: left;
}


#winchm_template_container{
	margin: 0px;
	padding: 0px;
	position: static;
	padding-bottom: 3px;
	overflow: auto;
	background-color: #FFFFFF;
}


@media print
{
#winchm_template_container{
	position: static;	
	margin: 0px;
	padding: 5px;
	
	width: auto;
	height: auto;
	overflow: auto;
}
#winchm_template_button{
visibility:hidden;
}
}

#winchm_template_navigation A:link	{text-decoration: none; color:#004080}
#winchm_template_navigation A:visited  {text-decoration: none; color: #004080}
#winchm_template_navigation A:active {text-decoration: none; color: #004080 }
#winchm_template_navigation A:hover {text-decoration: none;color: #0080FF}

A:link	{text-decoration: underline; color:#0033CC}
A:visited  {text-decoration: underline; color: #0033CC}
A:active {text-decoration: underline; color: #0033CC }
A:hover {text-decoration: underline;color: #FF0000;}
</style>
<script type="text/javascript">
function isMobile(){
Agent = window.navigator.userAgent;
if (Agent.indexOf("iPhone")>=1 || Agent.indexOf("iPad")>=1 || Agent.indexOf("iPod")>=1 || Agent.indexOf("Android")>=1){
return true;
}else{
return false;	
}

}
function d_onresize(){
if (window.navigator.userAgent.indexOf("MSIE")>=1){
document.getElementById('winchm_template_container').style.pixelWidth = document.body.offsetWidth - 3;
document.getElementById('winchm_template_container').style.pixelHeight = document.body.offsetHeight - document.getElementById('winchm_template_top').offsetHeight - 4;
}
document.getElementById('winchm_template_container').style.top = document.getElementById('winchm_template_top').offsetHeight + 'px';
}

function d_onbeforeprint(){
document.getElementById('winchm_template_container').style.width = 'auto';
document.getElementById('winchm_template_container').style.height = 'auto';
}

function d_onafterprint(){
d_onresize();
}

if(!isMobile()){

window.onload = d_onresize;
window.onresize = d_onresize;
window.onbeforeprint = d_onbeforeprint;
window.onafterprint = d_onafterprint;

document.write("<style>\n");
document.write("body {overflow: hidden;}\n");
document.write("#winchm_template_container {position: absolute;overflow: auto;top : 0px;right: 0px;bottom: 0px;left: 0px;}\n");
document.write("</style>\n");
}

</script>
</head>
<body><script language="JavaScript" type="text/JavaScript">
function syn(){
if(parent.nav.tree){
 if(parent.nav.tree.loaded){
  parent.nav.tree.selectNode(1584);
 }else{
  setTimeout("syn()",500);
}
  }else{
  setTimeout("syn()",500);
  }}
if(parent!=self){
  setTimeout("syn()",100);
}else{
  parent.location.href = "../../index.htm?page=debugger/analyzing_a_user_mode_dump_file_with_cdb.htm";
}
originalOnload = window.onload;
if(originalOnload==null){
window.onload = function(){parent.contentLoaded = true;};
}else{
window.onload = function(){originalOnload();parent.contentLoaded = true;};
}
</script> 


<div id="winchm_template_top">
	<div id="winchm_template_button"><A href="analyzing_a_user_mode_dump_file.htm" title="Previous topic"><img id="winchm_template_prev" alt="Previous topic" src="../template2/btn_prev_n.gif" border="0"></a><A href="analyzing_a_user_mode_dump_file_with_windbg.htm" title="Next topic"><img id="winchm_template_next" alt="Next topic" src="../template2/btn_next_n.gif" border="0"></a></div>
	<div id="winchm_template_navigation">Help &gt; 
<A href="introduction6.htm">Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)</A> &gt; <A href="crash_dump_files.htm">Crash dump analysis using the Windows debuggers (WinDbg)</A> &gt; <A href="user_mode_dump_files.htm">User-Mode Dump Files</A> &gt; <A href="analyzing_a_user_mode_dump_file.htm">Analyzing a User-Mode Dump File</A> &gt; </div>
	<div id="winchm_template_title">Analyzing a User-Mode Dump File with CDB</div>
</div>
<div id="winchm_template_container">
	<div id="winchm_template_content"><div id="mainSection"><p>User-mode memory dump files can be analyzed by CDB. The processor or Windows version that the dump file was created on does not need to match the platform on which CDB is being run.</p>
<h3><a id="installing_symbol_files"></a><a id="INSTALLING_SYMBOL_FILES"></a>Installing Symbol Files</h3>
<p>Before analyzing the memory dump file, you will need to install the symbol files for the version of Windows that generated the dump file. These files will be used by the debugger you choose to use to analyze the dump file. For more information about the proper installation of symbol files, see <a href="#Bookmark1500">Installing Windows Symbol Files</a>.</p>
<p>You will also need to install all the symbol files for the user-mode process, either an application or system service, that caused the system to generate the dump file. If this code was written by you, the symbol files should have been generated when the code was compiled and linked. If this is commercial code, check on the product CD-ROM or contact the software manufacturer for these particular symbol files.</p>
<h3><a id="starting_cdb"></a><a id="STARTING_CDB"></a>Starting CDB</h3>
<p>To analyze a dump file, start CDB with the <b>-z</b> command-line option:</p>
<p><b>cdb -y </b><i>SymbolPath</i><b> -i </b><i>ImagePath</i><b> -z </b><i>DumpFileName</i></p>
<p>The <b>-v</b> option (verbose mode) is also useful. For a full list of options, see <a href="#Bookmark1903"><b>CDB Command-Line Options</b></a>.</p>
<p>You can also open a dump file after the debugger is running by using the <a href="#Bookmark2150"><b>.opendump (Open Dump File)</b></a> command, followed with <a href="#Bookmark1997"><b>g (Go)</b></a>. This allows you to debug multiple dump files at the same time.</p>
<p>It is possible to debug multiple dump files at the same time. This can be done by including multiple <b>-z</b> switches on the command line (each followed by a different file name), or by using <a href="#Bookmark2150"><b>.opendump</b></a> to add additional dump files as debugger targets. For information about how to control a multiple-target session, see <a href="#Bookmark1402">Debugging Multiple Targets</a>.</p>
<p>Dump files generally end with the extension .dmp or .mdmp. You can use network shares or Universal Naming Convention (UNC) file names for the memory dump file.</p>
<p>It is also common for dump files to be packed into a CAB file. If you specify the file name (including the .cab extension) after the <b>-z</b> option or as the argument to an <a href="#Bookmark2150"><b>.opendump</b></a> command, the debugger can read the dump files directly out of the CAB. However, if there are multiple dump files stored in a single CAB, the debugger will only be able to read one of them. The debugger will not read any additional files from the CAB, even if they are symbol files or executables associated with the dump file.</p>
<h3><a id="analyzing_a_full_user_dump_file"></a><a id="ANALYZING_A_FULL_USER_DUMP_FILE"></a>Analyzing a Full User Dump File</h3>
<p>Analysis of a full user dump file is similar to analysis of a live debugging session. See the <a href="#Bookmark1915">Debugger Commands</a> reference section for details on which commands are available for debugging dump files in user mode.</p>
<p></p>
<h3><a id="analyzing_minidump_files"></a><a id="ANALYZING_MINIDUMP_FILES"></a>Analyzing Minidump Files</h3>
<p>Analysis of a user-mode minidump file is done in the same way as a full user dump. However, since much less memory has been preserved, you are much more limited in the actions you can perform. Commands that attempt to access memory beyond what is preserved in the minidump file will not function properly.</p>
<h3><a id="additional_techniques"></a><a id="ADDITIONAL_TECHNIQUES"></a>Additional Techniques</h3>
<p>For techniques that can be used to read specific kinds of information from a dump file, see <a href="#Bookmark1586">Extracting Information from a Dump File</a>.</p></div></div>	
	<div id="winchm_template_footer">Copyright &copy; 2019. All rights 
reserved. (To change the copyright info, just edit it in template.)</div>
</div>

</body>
</html>
